What do Data Protection fines look like now that GDPR is in effect?

How recent Data Protection fines could have been worse under GDPR

In May 2018 the General Data Protection Regulations (GDPR) came into effect, which sought to change how data was used by companies who held any personal information on EU citizens.

The Information Commissioner’s Office (ICO) has commented that they would not be making examples of small companies during the early days of the implementation of the regulations, and also that they were not hoping to make large fines a regular occurrence. However, the ICO released some information on how they would be deciding on which level of fine to impose for breaches.

Because of this, we have taken a look at some of the most recent fines under the old UK’s Data Protection Act (DPA) to see what would have happened had GDPR been in force, and what companies could do to avoid making mistakes.

Recent fines pre-GDPR

Uber

The most recent fine from the ICO was for the US based company, Uber. Uber offers a ridesharing service, similar to taxis, as well as food delivery services, and bike sharing. In 2016, Uber experienced a cyber-attack, where hackers gained access to 35 million peoples’ names, phone numbers, email addresses and the location that they had signed up to the service. The hackers also managed to gain access to the records of 82,000 UK based Uber drivers, which included journeys that the drivers had made and details of their pay. Uber had also failed to inform their customers that the breach had taken place.

The ICO outline two tiers of fines based on the severity of the data breaches. As Uber had a large data breach and failed to inform their customers, it is likely that had this happened now they could have received the higher level fine under GDPR, which is 4% of annual turnover or €20m whichever is the highest. Uber where actually fined £385k, whereas under GDPR this could have been a €800m fine if we calculated this using their published turnover figure from 2016.

Following an investigation into the attack, it was deemed that Uber was at fault as their data security was flawed; allowing hackers to steal information on the 2.7 million UK based customers and drivers. Uber also suffered reputational damage after failing to tell their customers about the breach until the following year, in November 2017. This would have been a serious offence under GDPR, where customers must be informed of breaches within 72 hours.

Gloucester Police and UK Government

The UK Government were themselves fined £200k by the ICO in July 2018, two months after the GDPR came into effect, when a mass email by an officer from Gloucester Police, who were also fined £80,000, leaked the identities of abuse victims. According to reports, the officer, as part of the Independent Inquiry into Child Sexual Abuse, had sent out a blind carbon copied (bcc) email to 90 of the victims involved in the trials, but after noticing an error, sent out a corrected email but included the email addresses in the “to” line instead of the “bcc” line, thus revealing the email addresses of the participants, 52 of which contained the full name or a name label, identifying the victims by name.

Although the breach of information only affected roughly 90 people, the nature of the leak could have caused severe implications for the outcome of the trials or the safety of the participants, and this was due to the oversight from the officer involved. This error was a simple mistake that a lot of us could have made, but ended up causing a huge fine which could have been even higher under GDPR guidelines today. To avoid mistakes like this, it is vital that you reinforce the importance of double checking confidential information before it is sent anywhere.

Facebook Ireland/ Facebook

In October 2018, Facebook was fined £500,000 for breaches of the Data Protection Act principles, this included Principle 1 which covers fair and lawful processing of data, and Principle 7 which covers security. The fine was for their part in the Cambridge Analytica scandal, when Facebook gave access to the Canada based Cambridge Analyticathat harvested information from 87 million Facebook profiles.

In 2017, Facebook’s annual revenue came in at $40.7bn (€35bn), if you calculated 4% of annual turnover this equates to €1.4bn ($1.6bn). Under GDPR guidelines this percentage is a maximum fine that could be imposed.

This fine could have been avoided by clamping down on how data is used within a company, and how it is transferred between companies. This can be achieved by following the ICO’s GDPR guide.

Equifax

Equifax is a consumer credit reporting agency based in the United States with offices in the UK. They experienced a cyber-attack between May and July 2017. The company was fined £500k for failing to protect the data of their UK customers during the breach. Equifax were also found to have breached 5 out of the 8 principles set out in the Data Protection Act, including the security, international transfers and retention principles.

Even though the fine was applied under the Data Protection Act to the UK branch of the company, under GDPR the fine would apply to the parent company. As Equifax breached several of the Data Protection Act principles, and the number of people affected, 694,000 UK based customers, it is likely that Equifax could have faced the upper tier of the GDPR fines.

Like Uber, Equifax were also found to have insufficient data protection in place for their customers’ personal information. Stronger data protection can be achieved by taking on board the GDPR guidance from the ICOand using firewalls and anti-virus software, which are designed to protect against hacks and data breaches.

Cyber Insurance

One of the occurring themes of these fines is the amount of data that is being stolen in cyber-attacks. Research has shown that 43% of all UK businesses have experienced some form of cyber breach in the last 12 months, with the average cost per breach being £3,100. With GDPR now in effect, there has never been a more important time to make sure that your cyber security is able to keep your data safe.

Whilst cyber insurance won’t necessarily stop you from experiencing an attack, it can help to cover the costs of rebuilding following the breach. Cyber Insurance arranged by Premierline can offer cover to include handling any communications with customers following a breach, physical as well as digital assets and can offer forensic support to assist with police reports.

Business Guidance

Business Guidance

Insurance Guides

The information and tools contained in this guide are of a general informational nature and should not be relied upon as being suitable for any specific set of circumstances. We have used reasonable endeavours to ensure the accuracy and completeness of the contents but the information and tools do not constitute professional advice and must not be relied upon as such. To the extent permitted by law, we do not accept responsibility for any loss which may arise from reliance on the information or tools in our Insight Hub.

Premierline Business Insurance Broker is a trading name of Allianz Business Services Limited, registered in England and Wales under company number 4521167. Registered Office: 57 Ladymead, Guildford, Surrey, GU1 1DB. Allianz Business Services Limited is authorised and regulated by the Financial Conduct Authority and is covered by the Financial Ombudsman Service. Our FCA registration number is 304779.